When EUEM components are deployed, they are communicating with each other in different ways. Let’s refer to the basic architecture of a simple deployment of EUEM.
All the communications between EUEM components occur on a secure channel using HTTPS. The same goes for managing EUEM by accessing its web interface.
The Collector and the Analyzer have their own built-in SSL certificates. When deployed a self-signed SSL certificate is generated for each component. Given that the authentication between each EUEM components is done via user accounts, there is no two-way SSL authentication as in other TrueSight Operations Management products.
Replacing a SSL certificate on any EUEM component does not impact the entire deployment and without causing any disruption in the way the product works. This means that one can use a signed certificate on an Analyzer and still use the self-signed certificate on the Collector without breaking the flow between the components. This also means that one does not have to change anything on the TrueSight Presentation Server for the Analyzer & TSPS integration or on the App Visibility Portal server when the App Visibility integration is configured.
As long as the configured SSL certificate is a valid and signed one, there is no problem!
The steps below are for the Real User Analyzer but the same procedure applies to the Real User Collector. Since there is no web UI for Cloud Probe, there is no SSL certificate on Cloud Probe to change.
EUEM is a Java application running on a Tomcat server. Replacing the SSL certificate is very simple. The steps are
- Get a signed SSL certificate from a Certificate Authority and the original SSL private Key.
- Bundle them in a Java keystore format.
- Configure EUEM to use this keystore instead of the default one created at installation time.
Important notice: It is your responsibility to provide the Java keystore file. BMC is not responsible and will not provide help in generating it.
Configuring the Analyzer to use your keystore file
- Copy your keystore file to the Real User Analyzer server.
- Make a copy of the following file as a backup.
- Edit the server.xml file
- Look for the following lines. The first line is a pointer to the full pathname of your keystore file. The second line specifies the password (*) to that keystore.
- Restart the Real User Analyzer at your convenience to have the changes take effect.
If you have the Real User Collector deployed on the same system you have to repeat the steps as its SSL certificate configuration is separate.
(*) About storing the keystore password in clear text in the server.xml file. This is a constraint from the Tomcat design itself. This is best and fully described in the official Apache Tomcat FAQ.